For full functionality of our forum it is necessary to enable Javascript in your browser. If you're not sure about how to do this you will find easy to understand instructions at: http://www.enable-javascript.com

quote/"Is there a maximum number of roots that can be included in the Program? May there come a time when you don’t accept any more root certificates?

Yes. Increasing the number of root certificates made available through this Program can negatively affect Windows performance, since all root certificates are decoded into memory in every process that uses certificates. Actual performance degradation may differ based on version of Windows and type of hardware, but we consider the long-term impact of every decision to incorporate new root certificates, and new classes of CAs. We have not approached the number of root certificates where performance might be impacted, but we make individual application decisions with the long-term in mind. We reserve the right to make membership decisions in our sole discretion based on these criteria, and to change those criteria without notice in the event of any disruption to Windows performance.

Also, every additional root certificate increases the risk of a key compromise or bad certificates due to CA error for hundreds of millions of Windows users worldwide. As a result, we face increasing pressure from the worldwide security community to limit the number of root certificates we distribute for CAs. We only accept CAs that provide value to a large percentage of Microsoft Windows users worldwide or within a country or region. Going forward, we intend to work with the PKI and audit communities on audit regimes and assessor guidelines that will improve CA practices and justify our decision to admit additional CAs. "/end quote

Also I found this piece about Microsoft and Mozilla ban Dutch government root certificate on The Inquirer

Reply to this topic

This thread has been locked.

For full functionality of our forum it is necessary to enable Javascript in your browser. If you're not sure about how to do this you will find easy to understand instructions at: http://www.enable-javascript.com